7 Things to Keep in Mind When Assessing the Security Risk of Using WordPress as a CMS

The other night, I was part of a panel discussion at Boulder Digital Arts about WordPress. We had three panelists: me, Bethany Siegler of UniqueThink.com, and Doulgas Wray of MacWebGuru.com.

In the middle of the presentation, someone asked:

A programmer friend of mine suggested that I should use a lesser known CMS because WordPress is so popular and therefore vulnerable to attack. What do you think?

Like true WordPress evangelists, Bethany, Douglas, and I immediately rallied in support of WordPress citing that the responsiveness of the WordPress developers to patch security risks and practical security precautions would help thwart or enable you to recover from potential attacks. Yet, thinking about it later, if malicious code was injected into your site that could, in turn, cause Google to remove your site entirely from the search engine, and that would indeed be difficult to recover from.

So, what’s a web developer, blogger, or business owner to do? Should we avoid WordPress because of its vulnerability? Should we reassess our content management needs and perhaps choose a more “obscure” CMS if it meets our needs? After a lot of ruminating on these questions and doing several Google searches, I have this more thoughtful and less cavalier response to the question above:

1) All PHP web content management systems are vulnerable to attack.

This includes Joomla!, Drupal, WordPress and others. However, these three made the top 10 list on IBM’s X-Force® 2008 Trend Statistics. Vulnerabilities are getting more numerous, and we are getting less safe on the Internet. What these three applications have in common is that they are all written in PHP and use MySQL database. The real problem is with SQL injections in which malicious code can be inserted into your database that could wreak havoc on your site.

It does not appear that WordPress is any more inherently vulnerable to attack than other popular CMS platforms running on PHP. In fact, WordPress has actually made great strides in its security causing it to fall off the list for the 2009 Trend Mid-Year Statistics. WordPress is more vulnerable because of it’s popularity: a successful WordPress hack is great bang for the buck, so to speak. The lesson here is that you SHOULD be concerned about security and doing what you can to secure your site.

2) The stability of the CMS and the cost involved in upgrading are important risk factors.

While WordPress showed up on the IBM’s X-Force Trend Statistics for the first time (along with Drupal and Joomla!) in 2008, in the first half of 2009, WordPress practically dropped off the charts with less than a handful of vulnerability disclosures in the first half of this year. Many WordPress websites came under attack late this past summer, yet, the sites that were attacked were running older versions of the software, and the current version of WordPress at the time of the attacks was not vulnerable. WordPress has made it easier to update it’s software and does regularly update its software and is a stable product due to its large amount of support.

Keep in mind that there is a correlation between the sheer volume of use and the number of vulnerabilities reported. Custom-built web applications are also attacked and exploited even though the vulnerabilities in these applications are not reported and tracked by public vulnerability databases such as @RISK, CVE or BugTraq. That’s where we have to really look at how responsive the WordPress community is to addressing security risks and coming out with timely security patches that are EASY to implement.

If a security update is going to be time consuming, difficult, or costly to implement, then it’s less likely that you will do it. If you’re running a more obscure CMS or one that doesn’t have a robust support community, will you have access to timely updates and will it be easy for you to perform these updates?

3) 3rd party plugins expose users to risks.

While we may have confidence in the WordPress developers to create a secure application, there are no formal regulations or oversight for WordPress plugin developers. ANYONE can develop and promote a plugin. These plugins may have security vulnerabilities and likely many of them do. While people call me the “plugin queen,” I try to limit my plugin use to those plugins that have a reputable developer behind them who regularly update their plugins.

According to some, no person should be engaged to write web applications unless they can pass the GSSP Secure Software Programming exam that covers the essential security skills and knowledge that developers need to produce more secure applications. But, as we all know, in the open source environment, the plugins we are using with WordPress are being developed by many people who know little about programming in general, much less about secure software programming specifically.

Be discerning in choosing plugins and perhaps use the SEO WordPress Firewall plugin to add another layer of protection to your site.

4) Risk assessment needs to include ongoing technical support and technical relevancy, not just risk of hack.

Businesses need to asses the type of ongoing support they can expect for their website software as well as the dedication to developing the software to keep up with current website technologies and trends. Perhaps going with a more “obscure” solution feels safer because it’s not making the headlines for hacks, but is it any more hack proof than other solutions? And, how long will this software be around? What happens if the developer goes out of business, or, if you developed it in house, you lose the employees who know how it works? Does it have enough community support to have some longevity?

Things change, but we don’t necessarily want to have to change our entire web software solution every two years.

5) Remember the basics: security through obscurity, appropriate file permissions, and strong passwords.

One of the best ways to prevent a WordPress-specific attack is to NOT broadcast that you use WordPress for your website, not use “admin” as your administrator user name, and create strong passwords.

• Six Revisions wrote a great post on 12 Essential Security Tips and Hacks for WordPress that is definitely worth reading and performing on each of your WordPress installs (you can run the wp-security-scan plugin to check for some of these vulnerabilities and perform some of the hacks automatically).
• Also, be sure to read: http://codex.wordpress.org/Hardening_WordPress for other must-do security measures.

6) Stay updated.

While these tips and hacks make a lot of sense, I’m not sure if hackers can’t get past them to discover what CMS and version you’re running, and therefore keeping your WordPress version continually updated with the latest security patches is very important.

7) Regularly monitor your website.

How will you now you’ve been hacked? Do you check all of your sites daily? Today’s hackers usually won’t host the malware on the infected website, they’ll install redirect code on an infected, legitimate website. An anti-virus scan of your webserver or website will rarely detect this redirect code.

• Check all the links from your site to external sites and for any changes made to your site (comparing file modification date, for example). Hackers do install scripts to check for the browser/user agents being used and some exploits don’t show up in certain browsers and others will only show if the site is indexed by Google to have high ranked sites point to their site. You can use the W3C Link Checker to find all of the links from your site to other sites. The Broken Link Checker Plugin is also handy for checking links on your posts and pages.
• There are some website security scanners out there. I would be interested to know what people are using. If you’re not using scanning software, then you need to at least routinely check your site in different browsers for any suspicious looking links, code or activity.
• You can also set up Google Alerts to email you if any strange words are being index from your site (http://www.blogstorm.co.uk/how-to-use-google-alerts-to-find-out-if-your-site-gets-hacked/).
• The SEO WordPress Firewall plugin and Limit Login Attempts plugin will notify you of some attempts to hack your site. Douglas Wray also recommends Bluetrait Event Viewer.

The takeaways:

• Vulnerabilities to PHP and MySQL run websites are out there and are trending towards increasing.
• Take the necessary precautions to protect your site, this includes choosing plugins carefully, performing regular backups, regularly scanning your website for hacks, using strong usernames and passwords, and obscuring the fact you’re using WordPress
• Pick your CMS carefully — WordPress does have strong support and implements patches quickly. If you decide to not use WordPress, then do a careful risk assessment of whatever tool you decide to use both in terms of security vulnerabilities, ease of updates, and long-term support and viability. Remember, all PHP applications are vulnerable as well as others, including good ol’ HTML pages that might use contact forms, iframes, scripts, etc.
• Are you part of the problem? See this great web security post on Smashing Magazine: http://www.smashingmagazine.com/2010/01/14/web-security-primer-are-you-part-of-the-problem/

What do you recommend?

The WordPress community is dedicated to WordPress and its continued growth. But most used = most vulnerable. We use vulnerable products every day with Microsoft and Apple at or near the top of the list of exploited software. Yet, we take it quite personally when it’s OUR website that gets hacked, and our Google rankings that go down the drain.

Discussing these security concerns is important. We shouldn’t take anything for granted. We do need to take appropriate steps on a regular basis since PHP and MySQL are vulnerable and hackers are going to continue to exploit that vulnerability with increasing force. With this in mind:

• Would any of you choose ANOTHER CMS over WordPress because of security concerns? If so, which one? What makes it more secure?
• What do you do beyond the “12 Essential Security Tips” and Hardening WordPress recommendations mentioned above to keep your WordPress install secure?
• How do you spot a hack quickly? Do you use some sort of scanning software?
• Has your WordPress install been hacked and did it effect your Google Rankings?
• Any other comments?

I appreciate the comments and feedback from more seasoned web professionals.